PatchSiren cyber security CVE debrief
CVE-2024-50687 Sungrow CVE debrief
CVE-2024-50687 is a medium-severity Sungrow issue disclosed by CISA on 2025-03-13. The advisory says the Solar iCloud API contains multiple insecure direct object references (IDOR) in the devService API model, which could let an attacker access user data without authorization and potentially modify key identifying data values. The advisory covers Sungrow iSolarCloud Android App <=2.1.6 and Sungrow WiNet Firmware (all versions listed in the CSAF), and Sungrow states updated firmware is available.
- Vendor
- Sungrow
- Product
- iSolarCloud Android App
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-03-13
- Original CVE updated
- 2025-03-13
- Advisory published
- 2025-03-13
- Advisory updated
- 2025-03-13
Who should care
Sungrow iSolarCloud administrators, solar/ICS asset owners, and teams responsible for Sungrow WiNet firmware or the iSolarCloud Android app should care, especially where user accounts or device identity data are managed through the Solar iCloud API.
Technical summary
According to the CISA CSAF advisory, the vulnerable interface is the Solar iCloud API devService model. The weakness is IDOR: access-control checks may allow requests to reference data objects that belong to other users. CISA’s description limits the impact to unauthorized access to user data and possible modification of key identifying data values. The published CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3).
Defensive priority
Prioritize prompt patching and access-control validation. The advisory provides vendor fixes for affected firmware and recommends updating the mobile app as well.
Recommended defensive actions
- Update Sungrow WiNet Firmware to WINET-SV200.001.00.P028 or higher.
- Update the iSolarCloud Android App to the latest version from the device app store.
- Verify that API authorization checks prevent cross-account object access in any integrations that use the devService model.
- Review access to user and device identity data for unexpected changes, using the organization’s normal monitoring and audit processes.
- Follow Sungrow’s security notice and CISA ICS recommended practices for additional defensive guidance.
Evidence notes
CISA’s CSAF advisory ICSA-25-072-12, published 2025-03-13, names the affected products as Sungrow iSolarCloud Android App: <=2.1.6 and Sungrow WiNet Firmware: vers:all/*. The advisory description states the Solar iCloud API is vulnerable to multiple IDOR issues via the devService API model, with possible unauthorized access to user data and modification of key identifying data values. The remediations section says Sungrow has released updated firmware and that the iSolarCloud Android App has been repaired and requires no further user action, while also advising users to consult Sungrow’s security notice. No exploitation or KEV listing is provided in the supplied sources.
Official resources
-
CVE-2024-50687 CVE record
CVE.org
-
CVE-2024-50687 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICS Advisory ICSA-25-072-12 and the accompanying CSAF record on 2025-03-13. This debrief uses that publication date as the CVE context date and does not infer an earlier issue date.